From 2f96eed4aff41beef9c74f447f668e736e41bbe2 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Mon, 12 Jan 2026 14:07:45 -0500 Subject: [PATCH] fix: guard against negative uids crossposting --- src/topics/crossposts.js | 10 ++++++++++ test/topics/crossposts.js | 7 +++++++ 2 files changed, 17 insertions(+) diff --git a/src/topics/crossposts.js b/src/topics/crossposts.js index d71d83f714..2308242220 100644 --- a/src/topics/crossposts.js +++ b/src/topics/crossposts.js @@ -37,6 +37,13 @@ Crossposts.get = async function (tid) { }; Crossposts.add = async function (tid, cid, uid) { + console.log('ADD WAS CALLED!!', tid, cid, uid); + return; + /** + * NOTE: If uid is 0, the assumption is that it is a "system" crosspost, not a guest! + * (Normally guest uid is 0) + */ + // Target cid must exist if (!utils.isNumber(cid)) { await activitypub.actors.assert(cid); @@ -45,6 +52,9 @@ Crossposts.add = async function (tid, cid, uid) { if (!exists) { throw new Error('[[error:invalid-cid]]'); } + if (uid < 0) { + throw new Error('[[error:invalid-uid]]'); + } const crossposts = await Crossposts.get(tid); const crosspostedCids = crossposts.map(crosspost => String(crosspost.cid)); diff --git a/test/topics/crossposts.js b/test/topics/crossposts.js index 174fda26d0..ec6fe66aa5 100644 --- a/test/topics/crossposts.js +++ b/test/topics/crossposts.js @@ -84,6 +84,13 @@ describe('Crossposting (& related logic)', () => { tid = topicData.tid; }); + it('should not allow a spider (uid -1) to crosspost', async () => { + await assert.rejects( + topics.crossposts.add(tid, cid2, -1), + { message: '[[error:invalid-uid]]' } + ); + }); + it('should successfully crosspost to another cid', async () => { const crossposts = await topics.crossposts.add(tid, cid2, uid);